From: Greg Kroah-Hartman Date: Sun, 30 Apr 2017 14:11:09 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.4.66~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8717ddb0127d2a554c5a46f3f08eb6cce0ee737d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch ip6mr-fix-notification-device-destruction.patch l2tp-purge-socket-queues-in-the-.destruct-callback.patch mips-kgdb-use-kernel-context-for-sleeping-threads.patch net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch net-neigh-guard-against-null-solicit-method.patch net-packet-fix-overflow-in-check-for-tp_frame_nr.patch net-packet-fix-overflow-in-check-for-tp_reserve.patch net-phy-handle-state-correctly-in-phy_stop_machine.patch netpoll-check-for-skb-queue_mapping.patch nfsd-check-for-oversized-nfsv2-v3-arguments.patch p9_client_readdir-fix.patch sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch --- diff --git a/queue-3.18/alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch b/queue-3.18/alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch new file mode 100644 index 00000000000..d79e5f90c27 --- /dev/null +++ b/queue-3.18/alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch @@ -0,0 +1,57 @@ +From 4e7655fd4f47c23e5249ea260dc802f909a64611 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 9 Apr 2017 10:41:27 +0200 +Subject: ALSA: seq: Don't break snd_use_lock_sync() loop by timeout + +From: Takashi Iwai + +commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream. + +The snd_use_lock_sync() (thus its implementation +snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of +the sync loop. It was introduced from the beginning, just to be +"safer", in terms of avoiding the stupid bugs. + +However, as Ben Hutchings suggested, this timeout rather introduces a +potential leak or use-after-free that was apparently fixed by the +commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"): +for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() -> +copy_from_user() could block for a long time, and snd_use_lock_sync() +goes timeout and still leaves the cell at releasing the pool. + +For fixing such a problem, we remove the break by the timeout while +still keeping the warning. + +Suggested-by: Ben Hutchings +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_lock.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/sound/core/seq/seq_lock.c ++++ b/sound/core/seq/seq_lock.c +@@ -28,19 +28,16 @@ + /* wait until all locks are released */ + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) + { +- int max_count = 5 * HZ; ++ int warn_count = 5 * HZ; + + if (atomic_read(lockp) < 0) { + pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line); + return; + } + while (atomic_read(lockp) > 0) { +- if (max_count == 0) { +- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line); +- break; +- } ++ if (warn_count-- == 0) ++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line); + schedule_timeout_uninterruptible(1); +- max_count--; + } + } + diff --git a/queue-3.18/input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch b/queue-3.18/input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch new file mode 100644 index 00000000000..f7e8724366c --- /dev/null +++ b/queue-3.18/input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch @@ -0,0 +1,41 @@ +From 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 13 Apr 2017 15:36:31 -0700 +Subject: Input: i8042 - add Clevo P650RS to the i8042 reset list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Torokhov + +commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream. + +Clevo P650RS and other similar devices require i8042 to be reset in order +to detect Synaptics touchpad. + +Reported-by: Paweł Bylica +Tested-by: Ed Bordin +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301 +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -595,6 +595,13 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "20046"), + }, + }, ++ { ++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), ++ }, ++ }, + { } + }; + diff --git a/queue-3.18/ip6mr-fix-notification-device-destruction.patch b/queue-3.18/ip6mr-fix-notification-device-destruction.patch new file mode 100644 index 00000000000..d25de3eb4d2 --- /dev/null +++ b/queue-3.18/ip6mr-fix-notification-device-destruction.patch @@ -0,0 +1,131 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Nikolay Aleksandrov +Date: Fri, 21 Apr 2017 20:42:16 +0300 +Subject: ip6mr: fix notification device destruction + +From: Nikolay Aleksandrov + + +[ Upstream commit 723b929ca0f79c0796f160c2eeda4597ee98d2b8 ] + +Andrey Konovalov reported a BUG caused by the ip6mr code which is caused +because we call unregister_netdevice_many for a device that is already +being destroyed. In IPv4's ipmr that has been resolved by two commits +long time ago by introducing the "notify" parameter to the delete +function and avoiding the unregister when called from a notifier, so +let's do the same for ip6mr. + +The trace from Andrey: +------------[ cut here ]------------ +kernel BUG at net/core/dev.c:6813! +invalid opcode: 0000 [#1] SMP KASAN +Modules linked in: +CPU: 1 PID: 1165 Comm: kworker/u4:3 Not tainted 4.11.0-rc7+ #251 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs +01/01/2011 +Workqueue: netns cleanup_net +task: ffff880069208000 task.stack: ffff8800692d8000 +RIP: 0010:rollback_registered_many+0x348/0xeb0 net/core/dev.c:6813 +RSP: 0018:ffff8800692de7f0 EFLAGS: 00010297 +RAX: ffff880069208000 RBX: 0000000000000002 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88006af90569 +RBP: ffff8800692de9f0 R08: ffff8800692dec60 R09: 0000000000000000 +R10: 0000000000000006 R11: 0000000000000000 R12: ffff88006af90070 +R13: ffff8800692debf0 R14: dffffc0000000000 R15: ffff88006af90000 +FS: 0000000000000000(0000) GS:ffff88006cb00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe7e897d870 CR3: 00000000657e7000 CR4: 00000000000006e0 +Call Trace: + unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881 + unregister_netdevice_many+0xc8/0x120 net/core/dev.c:7880 + ip6mr_device_event+0x362/0x3f0 net/ipv6/ip6mr.c:1346 + notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93 + __raw_notifier_call_chain kernel/notifier.c:394 + raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 + call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647 + call_netdevice_notifiers net/core/dev.c:1663 + rollback_registered_many+0x919/0xeb0 net/core/dev.c:6841 + unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881 + unregister_netdevice_many net/core/dev.c:7880 + default_device_exit_batch+0x4fa/0x640 net/core/dev.c:8333 + ops_exit_list.isra.4+0x100/0x150 net/core/net_namespace.c:144 + cleanup_net+0x5a8/0xb40 net/core/net_namespace.c:463 + process_one_work+0xc04/0x1c10 kernel/workqueue.c:2097 + worker_thread+0x223/0x19c0 kernel/workqueue.c:2231 + kthread+0x35e/0x430 kernel/kthread.c:231 + ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430 +Code: 3c 32 00 0f 85 70 0b 00 00 48 b8 00 02 00 00 00 00 ad de 49 89 +47 78 e9 93 fe ff ff 49 8d 57 70 49 8d 5f 78 eb 9e e8 88 7a 14 fe <0f> +0b 48 8b 9d 28 fe ff ff e8 7a 7a 14 fe 48 b8 00 00 00 00 00 +RIP: rollback_registered_many+0x348/0xeb0 RSP: ffff8800692de7f0 +---[ end trace e0b29c57e9b3292c ]--- + +Reported-by: Andrey Konovalov +Signed-off-by: Nikolay Aleksandrov +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -776,7 +776,8 @@ failure: + * Delete a VIF entry + */ + +-static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head) ++static int mif6_delete(struct mr6_table *mrt, int vifi, int notify, ++ struct list_head *head) + { + struct mif_device *v; + struct net_device *dev; +@@ -822,7 +823,7 @@ static int mif6_delete(struct mr6_table + dev->ifindex, &in6_dev->cnf); + } + +- if (v->flags & MIFF_REGISTER) ++ if ((v->flags & MIFF_REGISTER) && !notify) + unregister_netdevice_queue(dev, head); + + dev_put(dev); +@@ -1331,7 +1332,6 @@ static int ip6mr_device_event(struct not + struct mr6_table *mrt; + struct mif_device *v; + int ct; +- LIST_HEAD(list); + + if (event != NETDEV_UNREGISTER) + return NOTIFY_DONE; +@@ -1340,10 +1340,9 @@ static int ip6mr_device_event(struct not + v = &mrt->vif6_table[0]; + for (ct = 0; ct < mrt->maxvif; ct++, v++) { + if (v->dev == dev) +- mif6_delete(mrt, ct, &list); ++ mif6_delete(mrt, ct, 1, NULL); + } + } +- unregister_netdevice_many(&list); + + return NOTIFY_DONE; + } +@@ -1552,7 +1551,7 @@ static void mroute_clean_tables(struct m + for (i = 0; i < mrt->maxvif; i++) { + if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC)) + continue; +- mif6_delete(mrt, i, &list); ++ mif6_delete(mrt, i, 0, &list); + } + unregister_netdevice_many(&list); + +@@ -1705,7 +1704,7 @@ int ip6_mroute_setsockopt(struct sock *s + if (copy_from_user(&mifi, optval, sizeof(mifi_t))) + return -EFAULT; + rtnl_lock(); +- ret = mif6_delete(mrt, mifi, NULL); ++ ret = mif6_delete(mrt, mifi, 0, NULL); + rtnl_unlock(); + return ret; + diff --git a/queue-3.18/l2tp-purge-socket-queues-in-the-.destruct-callback.patch b/queue-3.18/l2tp-purge-socket-queues-in-the-.destruct-callback.patch new file mode 100644 index 00000000000..d513575badc --- /dev/null +++ b/queue-3.18/l2tp-purge-socket-queues-in-the-.destruct-callback.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Guillaume Nault +Date: Wed, 29 Mar 2017 08:45:29 +0200 +Subject: l2tp: purge socket queues in the .destruct() callback + +From: Guillaume Nault + + +[ Upstream commit e91793bb615cf6cdd59c0b6749fe173687bb0947 ] + +The Rx path may grab the socket right before pppol2tp_release(), but +nothing guarantees that it will enqueue packets before +skb_queue_purge(). Therefore, the socket can be destroyed without its +queues fully purged. + +Fix this by purging queues in pppol2tp_session_destruct() where we're +guaranteed nothing is still referencing the socket. + +Fixes: 9e9cb6221aa7 ("l2tp: fix userspace reception on plain L2TP sockets") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -469,6 +469,10 @@ static void pppol2tp_session_close(struc + static void pppol2tp_session_destruct(struct sock *sk) + { + struct l2tp_session *session = sk->sk_user_data; ++ ++ skb_queue_purge(&sk->sk_receive_queue); ++ skb_queue_purge(&sk->sk_write_queue); ++ + if (session) { + sk->sk_user_data = NULL; + BUG_ON(session->magic != L2TP_SESSION_MAGIC); +@@ -507,9 +511,6 @@ static int pppol2tp_release(struct socke + l2tp_session_queue_purge(session); + sock_put(sk); + } +- skb_queue_purge(&sk->sk_receive_queue); +- skb_queue_purge(&sk->sk_write_queue); +- + release_sock(sk); + + /* This will delete the session context via diff --git a/queue-3.18/mips-kgdb-use-kernel-context-for-sleeping-threads.patch b/queue-3.18/mips-kgdb-use-kernel-context-for-sleeping-threads.patch new file mode 100644 index 00000000000..22f985ab3f9 --- /dev/null +++ b/queue-3.18/mips-kgdb-use-kernel-context-for-sleeping-threads.patch @@ -0,0 +1,125 @@ +From 162b270c664dca2e0944308e92f9fcc887151a72 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 30 Mar 2017 16:06:02 +0100 +Subject: MIPS: KGDB: Use kernel context for sleeping threads + +From: James Hogan + +commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream. + +KGDB is a kernel debug stub and it can't be used to debug userland as it +can only safely access kernel memory. + +On MIPS however KGDB has always got the register state of sleeping +processes from the userland register context at the beginning of the +kernel stack. This is meaningless for kernel threads (which never enter +userland), and for user threads it prevents the user seeing what it is +doing while in the kernel: + +(gdb) info threads + Id Target Id Frame + ... + 3 Thread 2 (kthreadd) 0x0000000000000000 in ?? () + 2 Thread 1 (init) 0x000000007705c4b4 in ?? () + 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201 + +Get the register state instead from the (partial) kernel register +context stored in the task's thread_struct for resume() to restore. All +threads now correctly appear to be in context_switch(): + +(gdb) info threads + Id Target Id Frame + ... + 3 Thread 2 (kthreadd) context_switch (rq=, cookie=..., next=, prev=0x0) at kernel/sched/core.c:2903 + 2 Thread 1 (init) context_switch (rq=, cookie=..., next=, prev=0x0) at kernel/sched/core.c:2903 + 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201 + +Call clobbered registers which aren't saved and exception registers +(BadVAddr & Cause) which can't be easily determined without stack +unwinding are reported as 0. The PC is taken from the return address, +such that the state presented matches that found immediately after +returning from resume(). + +Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb core") +Signed-off-by: James Hogan +Cc: Jason Wessel +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15829/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/kgdb.c | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- a/arch/mips/kernel/kgdb.c ++++ b/arch/mips/kernel/kgdb.c +@@ -244,9 +244,6 @@ static int compute_signal(int tt) + void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p) + { + int reg; +- struct thread_info *ti = task_thread_info(p); +- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32; +- struct pt_regs *regs = (struct pt_regs *)ksp - 1; + #if (KGDB_GDB_REG_SIZE == 32) + u32 *ptr = (u32 *)gdb_regs; + #else +@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigne + #endif + + for (reg = 0; reg < 16; reg++) +- *(ptr++) = regs->regs[reg]; ++ *(ptr++) = 0; + + /* S0 - S7 */ +- for (reg = 16; reg < 24; reg++) +- *(ptr++) = regs->regs[reg]; ++ *(ptr++) = p->thread.reg16; ++ *(ptr++) = p->thread.reg17; ++ *(ptr++) = p->thread.reg18; ++ *(ptr++) = p->thread.reg19; ++ *(ptr++) = p->thread.reg20; ++ *(ptr++) = p->thread.reg21; ++ *(ptr++) = p->thread.reg22; ++ *(ptr++) = p->thread.reg23; + + for (reg = 24; reg < 28; reg++) + *(ptr++) = 0; + + /* GP, SP, FP, RA */ +- for (reg = 28; reg < 32; reg++) +- *(ptr++) = regs->regs[reg]; +- +- *(ptr++) = regs->cp0_status; +- *(ptr++) = regs->lo; +- *(ptr++) = regs->hi; +- *(ptr++) = regs->cp0_badvaddr; +- *(ptr++) = regs->cp0_cause; +- *(ptr++) = regs->cp0_epc; ++ *(ptr++) = (long)p; ++ *(ptr++) = p->thread.reg29; ++ *(ptr++) = p->thread.reg30; ++ *(ptr++) = p->thread.reg31; ++ ++ *(ptr++) = p->thread.cp0_status; ++ ++ /* lo, hi */ ++ *(ptr++) = 0; ++ *(ptr++) = 0; ++ ++ /* ++ * BadVAddr, Cause ++ * Ideally these would come from the last exception frame up the stack ++ * but that requires unwinding, otherwise we can't know much for sure. ++ */ ++ *(ptr++) = 0; ++ *(ptr++) = 0; ++ ++ /* ++ * PC ++ * use return address (RA), i.e. the moment after return from resume() ++ */ ++ *(ptr++) = p->thread.reg31; + } + + void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc) diff --git a/queue-3.18/net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch b/queue-3.18/net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch new file mode 100644 index 00000000000..91aa26c9f3f --- /dev/null +++ b/queue-3.18/net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Florian Larysch +Date: Mon, 3 Apr 2017 16:46:09 +0200 +Subject: net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given + +From: Florian Larysch + + +[ Upstream commit a8801799c6975601fd58ae62f48964caec2eb83f ] + +inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to +ip_route_input when iif is given. If a multipath route is present for +the designated destination, ip_multipath_icmp_hash ends up being called, +which uses the source/destination addresses within the skb to calculate +a hash. However, those are not set in the synthetic skb, causing it to +return an arbitrary and incorrect result. + +Instead, use UDP, which gets no such special treatment. + +Signed-off-by: Florian Larysch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2436,7 +2436,7 @@ static int inet_rtm_getroute(struct sk_b + skb_reset_network_header(skb); + + /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */ +- ip_hdr(skb)->protocol = IPPROTO_ICMP; ++ ip_hdr(skb)->protocol = IPPROTO_UDP; + skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr)); + + src = tb[RTA_SRC] ? nla_get_be32(tb[RTA_SRC]) : 0; diff --git a/queue-3.18/net-neigh-guard-against-null-solicit-method.patch b/queue-3.18/net-neigh-guard-against-null-solicit-method.patch new file mode 100644 index 00000000000..2f0eda2b3d9 --- /dev/null +++ b/queue-3.18/net-neigh-guard-against-null-solicit-method.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Eric Dumazet +Date: Thu, 23 Mar 2017 12:39:21 -0700 +Subject: net: neigh: guard against NULL solicit() method + +From: Eric Dumazet + + +[ Upstream commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f ] + +Dmitry posted a nice reproducer of a bug triggering in neigh_probe() +when dereferencing a NULL neigh->ops->solicit method. + +This can happen for arp_direct_ops/ndisc_direct_ops and similar, +which can be used for NUD_NOARP neighbours (created when dev->header_ops +is NULL). Admin can then force changing nud_state to some other state +that would fire neigh timer. + +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -875,7 +875,8 @@ static void neigh_probe(struct neighbour + if (skb) + skb = skb_copy(skb, GFP_ATOMIC); + write_unlock(&neigh->lock); +- neigh->ops->solicit(neigh, skb); ++ if (neigh->ops->solicit) ++ neigh->ops->solicit(neigh, skb); + atomic_inc(&neigh->probes); + kfree_skb(skb); + } diff --git a/queue-3.18/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/queue-3.18/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch new file mode 100644 index 00000000000..1bbc9a6d12d --- /dev/null +++ b/queue-3.18/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Andrey Konovalov +Date: Wed, 29 Mar 2017 16:11:21 +0200 +Subject: net/packet: fix overflow in check for tp_frame_nr + +From: Andrey Konovalov + + +[ Upstream commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b ] + +When calculating rb->frames_per_block * req->tp_block_nr the result +can overflow. + +Add a check that tp_block_size * tp_block_nr <= UINT_MAX. + +Since frames_per_block <= tp_block_size, the expression would +never overflow. + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3820,6 +3820,8 @@ static int packet_set_ring(struct sock * + rb->frames_per_block = req->tp_block_size/req->tp_frame_size; + if (unlikely(rb->frames_per_block <= 0)) + goto out; ++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) ++ goto out; + if (unlikely((rb->frames_per_block * req->tp_block_nr) != + req->tp_frame_nr)) + goto out; diff --git a/queue-3.18/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/queue-3.18/net-packet-fix-overflow-in-check-for-tp_reserve.patch new file mode 100644 index 00000000000..eedaebd7e6b --- /dev/null +++ b/queue-3.18/net-packet-fix-overflow-in-check-for-tp_reserve.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Andrey Konovalov +Date: Wed, 29 Mar 2017 16:11:22 +0200 +Subject: net/packet: fix overflow in check for tp_reserve + +From: Andrey Konovalov + + +[ Upstream commit bcc5364bdcfe131e6379363f089e7b4108d35b70 ] + +When calculating po->tp_hdrlen + po->tp_reserve the result can overflow. + +Fix by checking that tp_reserve <= INT_MAX on assign. + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3314,6 +3314,8 @@ packet_setsockopt(struct socket *sock, i + return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; ++ if (val > INT_MAX) ++ return -EINVAL; + po->tp_reserve = val; + return 0; + } diff --git a/queue-3.18/net-phy-handle-state-correctly-in-phy_stop_machine.patch b/queue-3.18/net-phy-handle-state-correctly-in-phy_stop_machine.patch new file mode 100644 index 00000000000..22dfc6263f9 --- /dev/null +++ b/queue-3.18/net-phy-handle-state-correctly-in-phy_stop_machine.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Nathan Sullivan +Date: Wed, 22 Mar 2017 15:27:01 -0500 +Subject: net: phy: handle state correctly in phy_stop_machine + +From: Nathan Sullivan + + +[ Upstream commit 49d52e8108a21749dc2114b924c907db43358984 ] + +If the PHY is halted on stop, then do not set the state to PHY_UP. This +ensures the phy will be restarted later in phy_start when the machine is +started again. + +Fixes: 00db8189d984 ("This patch adds a PHY Abstraction Layer to the Linux Kernel, enabling ethernet drivers to remain as ignorant as is reasonable of the connected PHY's design and operation details.") +Signed-off-by: Nathan Sullivan +Signed-off-by: Brad Mouring +Acked-by: Xander Huff +Acked-by: Kyle Roeschley +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -506,7 +506,7 @@ void phy_stop_machine(struct phy_device + cancel_delayed_work_sync(&phydev->state_queue); + + mutex_lock(&phydev->lock); +- if (phydev->state > PHY_UP) ++ if (phydev->state > PHY_UP && phydev->state != PHY_HALTED) + phydev->state = PHY_UP; + mutex_unlock(&phydev->lock); + } diff --git a/queue-3.18/netpoll-check-for-skb-queue_mapping.patch b/queue-3.18/netpoll-check-for-skb-queue_mapping.patch new file mode 100644 index 00000000000..7f3265ce49c --- /dev/null +++ b/queue-3.18/netpoll-check-for-skb-queue_mapping.patch @@ -0,0 +1,104 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Tushar Dave +Date: Thu, 20 Apr 2017 15:57:31 -0700 +Subject: netpoll: Check for skb->queue_mapping + +From: Tushar Dave + + +[ Upstream commit c70b17b775edb21280e9de7531acf6db3b365274 ] + +Reducing real_num_tx_queues needs to be in sync with skb queue_mapping +otherwise skbs with queue_mapping greater than real_num_tx_queues +can be sent to the underlying driver and can result in kernel panic. + +One such event is running netconsole and enabling VF on the same +device. Or running netconsole and changing number of tx queues via +ethtool on same device. + +e.g. +Unable to handle kernel NULL pointer dereference +tsk->{mm,active_mm}->context = 0000000000001525 +tsk->{mm,active_mm}->pgd = fff800130ff9a000 + \|/ ____ \|/ + "@'/ .. \`@" + /_| \__/ |_\ + \__U_/ +kworker/48:1(475): Oops [#1] +CPU: 48 PID: 475 Comm: kworker/48:1 Tainted: G OE +4.11.0-rc3-davem-net+ #7 +Workqueue: events queue_process +task: fff80013113299c0 task.stack: fff800131132c000 +TSTATE: 0000004480e01600 TPC: 00000000103f9e3c TNPC: 00000000103f9e40 Y: +00000000 Tainted: G OE +TPC: +g0: 0000000000000000 g1: 0000000000003fff g2: 0000000000000000 g3: +0000000000000001 +g4: fff80013113299c0 g5: fff8001fa6808000 g6: fff800131132c000 g7: +00000000000000c0 +o0: fff8001fa760c460 o1: fff8001311329a50 o2: fff8001fa7607504 o3: +0000000000000003 +o4: fff8001f96e63a40 o5: fff8001311d77ec0 sp: fff800131132f0e1 ret_pc: +000000000049ed94 +RPC: +l0: 0000000000000000 l1: 0000000000000800 l2: 0000000000000000 l3: +0000000000000000 +l4: 000b2aa30e34b10d l5: 0000000000000000 l6: 0000000000000000 l7: +fff8001fa7605028 +i0: fff80013111a8a00 i1: fff80013155a0780 i2: 0000000000000000 i3: +0000000000000000 +i4: 0000000000000000 i5: 0000000000100000 i6: fff800131132f1a1 i7: +00000000103fa4b0 +I7: +Call Trace: + [00000000103fa4b0] ixgbe_xmit_frame+0x30/0xa0 [ixgbe] + [0000000000998c74] netpoll_start_xmit+0xf4/0x200 + [0000000000998e10] queue_process+0x90/0x160 + [0000000000485fa8] process_one_work+0x188/0x480 + [0000000000486410] worker_thread+0x170/0x4c0 + [000000000048c6b8] kthread+0xd8/0x120 + [0000000000406064] ret_from_fork+0x1c/0x2c + [0000000000000000] (null) +Disabling lock debugging due to kernel taint +Caller[00000000103fa4b0]: ixgbe_xmit_frame+0x30/0xa0 [ixgbe] +Caller[0000000000998c74]: netpoll_start_xmit+0xf4/0x200 +Caller[0000000000998e10]: queue_process+0x90/0x160 +Caller[0000000000485fa8]: process_one_work+0x188/0x480 +Caller[0000000000486410]: worker_thread+0x170/0x4c0 +Caller[000000000048c6b8]: kthread+0xd8/0x120 +Caller[0000000000406064]: ret_from_fork+0x1c/0x2c +Caller[0000000000000000]: (null) + +Signed-off-by: Tushar Dave +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netpoll.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -105,15 +105,21 @@ static void queue_process(struct work_st + while ((skb = skb_dequeue(&npinfo->txq))) { + struct net_device *dev = skb->dev; + struct netdev_queue *txq; ++ unsigned int q_index; + + if (!netif_device_present(dev) || !netif_running(dev)) { + kfree_skb(skb); + continue; + } + +- txq = skb_get_tx_queue(dev, skb); +- + local_irq_save(flags); ++ /* check if skb->queue_mapping is still valid */ ++ q_index = skb_get_queue_mapping(skb); ++ if (unlikely(q_index >= dev->real_num_tx_queues)) { ++ q_index = q_index % dev->real_num_tx_queues; ++ skb_set_queue_mapping(skb, q_index); ++ } ++ txq = netdev_get_tx_queue(dev, q_index); + HARD_TX_LOCK(dev, txq, smp_processor_id()); + if (netif_xmit_frozen_or_stopped(txq) || + netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) { diff --git a/queue-3.18/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/queue-3.18/nfsd-check-for-oversized-nfsv2-v3-arguments.patch new file mode 100644 index 00000000000..9cf09497951 --- /dev/null +++ b/queue-3.18/nfsd-check-for-oversized-nfsv2-v3-arguments.patch @@ -0,0 +1,103 @@ +From e6838a29ecb484c97e4efef9429643b9851fba6e Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 21 Apr 2017 16:10:18 -0400 +Subject: nfsd: check for oversized NFSv2/v3 arguments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: J. Bruce Fields + +commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream. + +A client can append random data to the end of an NFSv2 or NFSv3 RPC call +without our complaining; we'll just stop parsing at the end of the +expected data and ignore the rest. + +Encoded arguments and replies are stored together in an array of pages, +and if a call is too large it could leave inadequate space for the +reply. This is normally OK because NFS RPC's typically have either +short arguments and long replies (like READ) or long arguments and short +replies (like WRITE). But a client that sends an incorrectly long reply +can violate those assumptions. This was observed to cause crashes. + +Also, several operations increment rq_next_page in the decode routine +before checking the argument size, which can leave rq_next_page pointing +well past the end of the page array, causing trouble later in +svc_free_pages. + +So, following a suggestion from Neil Brown, add a central check to +enforce our expectation that no NFSv2/v3 call has both a large call and +a large reply. + +As followup we may also want to rewrite the encoding routines to check +more carefully that they aren't running off the end of the page array. + +We may also consider rejecting calls that have any extra garbage +appended. That would be safer, and within our rights by spec, but given +the age of our server and the NFS protocol, and the fact that we've +never enforced this before, we may need to balance that against the +possibility of breaking some oddball client. + +Reported-by: Tuomas Haanpää +Reported-by: Ari Kauppi +Reviewed-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -646,6 +646,37 @@ static __be32 map_new_errors(u32 vers, _ + return nfserr; + } + ++/* ++ * A write procedure can have a large argument, and a read procedure can ++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and ++ * reply that can both be larger than a page. The xdr code has taken ++ * advantage of this assumption to be a sloppy about bounds checking in ++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that ++ * problem, we enforce these assumptions here: ++ */ ++static bool nfs_request_too_big(struct svc_rqst *rqstp, ++ struct svc_procedure *proc) ++{ ++ /* ++ * The ACL code has more careful bounds-checking and is not ++ * susceptible to this problem: ++ */ ++ if (rqstp->rq_prog != NFS_PROGRAM) ++ return false; ++ /* ++ * Ditto NFSv4 (which can in theory have argument and reply both ++ * more than a page): ++ */ ++ if (rqstp->rq_vers >= 4) ++ return false; ++ /* The reply will be small, we're OK: */ ++ if (proc->pc_xdrressize > 0 && ++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) ++ return false; ++ ++ return rqstp->rq_arg.len > PAGE_SIZE; ++} ++ + int + nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) + { +@@ -658,6 +689,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __ + rqstp->rq_vers, rqstp->rq_proc); + proc = rqstp->rq_procinfo; + ++ if (nfs_request_too_big(rqstp, proc)) { ++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); ++ *statp = rpc_garbage_args; ++ return 1; ++ } + /* + * Give the xdr decoder a chance to change this if it wants + * (necessary in the NFSv4.0 compound case) diff --git a/queue-3.18/p9_client_readdir-fix.patch b/queue-3.18/p9_client_readdir-fix.patch new file mode 100644 index 00000000000..a88a814e2fd --- /dev/null +++ b/queue-3.18/p9_client_readdir-fix.patch @@ -0,0 +1,32 @@ +From 71d6ad08379304128e4bdfaf0b4185d54375423e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 14 Apr 2017 17:22:18 -0400 +Subject: p9_client_readdir() fix + +From: Al Viro + +commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream. + +Don't assume that server is sane and won't return more data than +asked for. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -2106,6 +2106,10 @@ int p9_client_readdir(struct p9_fid *fid + trace_9p_protocol_dump(clnt, req->rc); + goto free_and_error; + } ++ if (rsize < count) { ++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize); ++ count = rsize; ++ } + + p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count); + diff --git a/queue-3.18/sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch b/queue-3.18/sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch new file mode 100644 index 00000000000..d85a9a521c5 --- /dev/null +++ b/queue-3.18/sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Apr 30 15:50:51 CEST 2017 +From: Xin Long +Date: Thu, 6 Apr 2017 13:10:52 +0800 +Subject: sctp: listen on the sock only when it's state is listening or closed + +From: Xin Long + + +[ Upstream commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee ] + +Now sctp doesn't check sock's state before listening on it. It could +even cause changing a sock with any state to become a listening sock +when doing sctp_listen. + +This patch is to fix it by checking sock's state in sctp_listen, so +that it will listen on the sock with right state. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -6400,6 +6400,9 @@ int sctp_inet_listen(struct socket *sock + if (sock->state != SS_UNCONNECTED) + goto out; + ++ if (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED)) ++ goto out; ++ + /* If backlog is zero, disable listening. */ + if (!backlog) { + if (sctp_sstate(sk, CLOSED)) diff --git a/queue-3.18/series b/queue-3.18/series index 63f969489c1..4758a54b8d1 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -8,3 +8,17 @@ usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch xen-x86-don-t-lose-event-interrupts.patch sparc64-kern_addr_valid-regression.patch sparc64-fix-kernel-panic-due-to-erroneous-ifdef-surrounding-pmd_write.patch +net-neigh-guard-against-null-solicit-method.patch +net-phy-handle-state-correctly-in-phy_stop_machine.patch +l2tp-purge-socket-queues-in-the-.destruct-callback.patch +net-packet-fix-overflow-in-check-for-tp_frame_nr.patch +net-packet-fix-overflow-in-check-for-tp_reserve.patch +net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch +sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch +netpoll-check-for-skb-queue_mapping.patch +ip6mr-fix-notification-device-destruction.patch +alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch +mips-kgdb-use-kernel-context-for-sleeping-threads.patch +p9_client_readdir-fix.patch +input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch +nfsd-check-for-oversized-nfsv2-v3-arguments.patch